Merge branch '36-add-web-and-kratos-paths-in-nginx-configuration' into 'main'

Resolve "Add web and kratos paths in nginx configuration"

Closes #36

See merge request stackspin/dashboard!23

deployment/helmchart/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: common
   repository: https://charts.bitnami.com/bitnami
-  version: 1.11.1
+  version: 1.13.0
-digest: sha256:a000bcd4d4cdd813c67d633b5523b4a4cd478fb95f1cae665d9b0ba5c45b40e2
+digest: sha256:e83af41b39942278f8389623671732e624f28c6f1ad6ac2d937e210c5f354a18
-generated: "2022-02-10T15:57:46.223230425+01:00"
+generated: "2022-04-04T14:32:41.194922427+02:00"

deployment/helmchart/Chart.yaml

@@ -1,7 +1,7 @@
 annotations:
   category: Dashboard
 apiVersion: v2
-appVersion: 0.1.6
+appVersion: 0.2.0
 dependencies:
   - name: common
     # https://artifacthub.io/packages/helm/bitnami/common
@@ -23,4 +23,4 @@ name: stackspin-dashboard
 sources:
   - https://open.greenhost.net/stackspin/dashboard/
   - https://open.greenhost.net/stackspin/dashboard-backend/
-version: 0.1.7
+version: 0.2.0

deployment/helmchart/templates/configmaps.yaml

@@ -16,8 +16,12 @@ data:
   HYDRA_CLIENT_ID: {{ .Values.backend.oidc.clientId }}
   HYDRA_AUTHORIZATION_BASE_URL: {{ .Values.backend.oidc.authorizationBaseUrl }}
   TOKEN_URL: {{ .Values.backend.oidc.tokenUrl }}
-  HYDRA_URL: {{ .Values.backend.oidc.baseUrl }}
+  KRATOS_PUBLIC_URL: {{ .Values.backend.kratos.publicUrl }}
-
+  KRATOS_ADMIN_URL: {{ .Values.backend.kratos.adminUrl }}
+  HYDRA_PUBLIC_URL: {{ .Values.backend.oidc.baseUrl }}
+  HYDRA_ADMIN_URL: {{ .Values.backend.hydra.adminUrl }}
+  LOGIN_PANEL_URL: {{ .Values.backend.loginPanelUrl }}
+  DATABASE_URL: {{ .Values.backend.databaseUrl }}
   # {{- if .Values.backend.smtp.enabled }}
   # DASHBOARD_BACKEND_SMTP_HOST: {{ .Values.backend.smtp.host | quote }}
   # DASHBOARD_BACKEND_SMTP_PORT: {{ .Values.backend.smtp.port | quote }}

deployment/helmchart/templates/deployment.yaml

@@ -138,7 +138,7 @@ spec:
                   name: {{ include "backend.secretName" . }}
                   key: oidc-client-secret
             - name: KRATOS_URL
-              value: {{ .Values.backend.kratosUrl }}
+              value: {{ .Values.backend.kratos.adminUrl }}
             {{- if (include "backend.smtp.password.enabled" .) }}
             - name: DASHBOARD_SMTP_PASSWORD
               valueFrom:

deployment/helmchart/templates/ingress.yaml

@@ -19,6 +19,7 @@ metadata:
     kubernetes.io/tls-acme: "true"
   {{- end }}
   {{- end }}
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
 spec:
   {{- if or .Values.ingress.tls .Values.ingress.extraTls }}
   tls:
@@ -36,31 +37,28 @@ spec:
     - host: {{ .Values.ingress.hostname }}
       http:
         paths:
-          - path: {{ .Values.ingress.path }}
+          - path: {{ .Values.ingress.path }}(.*)
             {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
             pathType: {{ .Values.ingress.pathType }}
             {{- end }}
             backend: {{- include "common.ingress.backend" (dict "serviceName" (include "dashboard.serviceName" .) "servicePort" "dashboard-http" "context" $)  | nindent 14 }}
           # Forward API calls to the back-end container
-          - path: {{ .Values.ingress.path }}api/v1
+          - path: {{ .Values.ingress.path }}(api/v1.*)
             {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
             pathType: {{ .Values.ingress.pathType }}
             {{- end }}
             backend: {{- include "common.ingress.backend" (dict "serviceName" (include "backend.serviceName" .) "servicePort" "backend-http" "context" $)  | nindent 14 }}
-    {{- end }}
+          - path: {{ .Values.ingress.path }}(web.*)
-    {{- range .Values.ingress.extraHosts }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
-    - host: {{ .name }}
+            pathType: {{ .Values.ingress.pathType }}
-      http:
-        paths:
-          - path: {{ default "/" .path }}
-            {{- if eq "true" (include "common.ingress.supportsPathType" $) }}
-            pathType: {{ default "ImplementationSpecific" .pathType }}
-            {{- end }}
-            backend: {{- include "common.ingress.backend" (dict "serviceName" (include "dashboard.serviceName" $) "servicePort" "dashboard-http" "context" $) | nindent 14 }}
-          - path: {{ default "/" .path }}api/v1
-            {{- if eq "true" (include "common.ingress.supportsPathType" $) }}
-            pathType: {{ default "ImplementationSpecific" .pathType }}
             {{- end }}
             backend: {{- include "common.ingress.backend" (dict "serviceName" (include "backend.serviceName" .) "servicePort" "backend-http" "context" $)  | nindent 14 }}
+          - path: {{ .Values.ingress.path }}kratos/(.*)
+            pathType: {{ .Values.ingress.pathType }}
+            backend:
+              service:
+                name: kratos-public
+                port:
+                  number: 80
     {{- end }}
 {{- end }}

deployment/helmchart/templates/job-initialize-user.yaml

@@ -0,0 +1,55 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "common.names.fullname" . }}-initialize-user
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    component: dashboard
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+    {{- if .Values.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+spec:
+  template:
+    metadata:
+      labels: {{- include "common.labels.standard" . | nindent 8 }}
+        component: dashboard
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: {{ .Chart.Name }}-login-create-admin
+        image: {{ template "backend.image" . }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+        envFrom:
+          - configMapRef:
+              name: {{ include "common.names.fullname" . }}
+          {{- if .Values.backend.extraEnvVarsCM }}
+          - configMapRef:
+              name: {{ .Values.backend.extraEnvVarsCM }}
+          {{- end }}
+          {{- if .Values.backend.extraEnvVarsSecret }}
+          - secretRef:
+              name: {{ .Values.backend.extraEnvVarsSecret }}
+          {{- end }}
+        env:
+          - name: SETUP_EMAIL
+            value: {{ .Values.backend.initialUser.email }}
+          - name: SETUP_PASSWORD
+            value: {{ .Values.backend.initialUser.password }}
+          - name: KRATOS_PUBLIC_URL
+            value: http://kratos-public:80
+        command: ["/bin/bash", "-c"]
+        args:
+          - flask db upgrade;
+            {{- if .Release.IsInstall }}
+            flask cli user create $SETUP_EMAIL;
+            flask cli user setpassword $SETUP_EMAIL $SETUP_PASSWORD;
+            flask cli app create dashboard Dashboard;
+            flask cli user setrole $SETUP_EMAIL dashboard admin;
+            {{- end }}
+

deployment/helmchart/values-local.yaml.example

@@ -1,17 +1,38 @@
 # Values you will likely want to override. See values.yaml for their meanings
 
 dashboard:
-  host: dashboard.oas.example.com
+  host: dashboard.stackspin.example.com
 
 backend:
   secretKey: My random secret key
+  # OIDC connection details
+  #
+  # oidc:
+  #   clientSecret: ReplaceWithSecret
+  #   baseUrl: https://sso.stackspin.example.org
+  #   authorizationBaseUrl: https://sso.stackspin.example.org/oauth2/auth
+  #   tokenUrl: https://sso.stackspin.example.org/oauth2/token
+
+  # Where to find the Kratos public url
+  kratos:
+    publicUrl: https://sso.stackspin.example.org/kratos
+
+  # Public URL of login panel
+  loginPanelUrl: https://dashboard.stackspin.example.org/web/
+
+  # Database connection
+  # databaseUrl: mysql+pymysql://stackspin:password@single-sign-on-database-mariadb/stackspin
+
+  initialUser:
+    email: admin@example.com
+    # password: Set a pasword for the initial user!
 
 ingress:
   enabled: true
-  hostname: dashboard.oas.example.com
+  hostname: dashboard.stackspin.example.com
   # Get certificates with cert-manager
   certManager: true
   tls:
     - hosts:
-        - dashboard.oas.example.com
+        - dashboard.stackspin.example.com
-      secretName: oas-dashboard
+      secretName: stackspin-dashboard

deployment/helmchart/values.yaml

@@ -39,10 +39,19 @@ commonAnnotations: {}
 ## @section Stackspin parameters
 
 ## @param imagePullSecrets Specify docker-registry secret names as an array
+## @param imagePullPolicy  Policy on pulling images on container start
 ##
 image:
   imagePullSecrets: []
 
+  ## Specify a imagePullPolicy
+  ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+  ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+  ##
+  ## Same policy for all containers is used.
+  ##
+  pullPolicy: IfNotPresent
+
 ## Dashboard configuration parameters
 ## ref: https://open.greenhost.net/stackspin/dashboard
 ##
@@ -59,12 +68,7 @@ dashboard:
   image:
     registry: open.greenhost.net:4567
     repository: stackspin/dashboard/dashboard
-    tag: 0-1-6
+    tag: 0-1-7
-    ## Specify a imagePullPolicy
-    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
-    ##
-    pullPolicy: IfNotPresent
     ## Optionally specify an array of imagePullSecrets.
     ## Secrets must be manually created in the namespace.
     ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
@@ -225,19 +229,13 @@ backend:
   ## @param image.registry Stackspin image registry
   ## @param image.repository Stackspin image repository
   ## @param image.tag Stackspin image tag
-  ## @param image.pullPolicy Stackspin image pull policy
   ## @param image.pullSecrets Stackspin image pull secrets
   ## @param image.debug Specify if debug logs should be enabled
   ##
   image:
     registry: open.greenhost.net:4567
     repository: stackspin/dashboard-backend/dashboard-backend
-    tag: 0-1-4
+    tag: 0-2-0
-    ## Specify a imagePullPolicy
-    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
-    ##
-    pullPolicy: IfNotPresent
     ## Optionally specify an array of imagePullSecrets.
     ## Secrets must be manually created in the namespace.
     ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
@@ -247,8 +245,6 @@ backend:
     ##
     pullSecrets: []
 
-  # URL to the Ory Kratos API
-  kratosUrl: http://127.0.0.1:8000
   oidc:
     clientId: dashboard
     clientSecret: ReplaceWithSecret
@@ -256,6 +252,23 @@ backend:
     authorizationBaseUrl: https://sso.stackspin.example.org/oauth2/auth
     tokenUrl: https://sso.stackspin.example.org/oauth2/token
 
+  # Where to find the Kratos ADMIN and PUBLIC url
+  kratos:
+    publicUrl: https://dashboard.stackspin.example.org/kratos
+    adminUrl: http://kratos-admin:80
+
+  # Where to find the Hydra ADMIN url
+  hydra:
+    adminUrl: http://hydra-admin:4445
+
+  # Public URL of login panel
+  loginPanelUrl: https://dashboard.stackspin.example.org/web/
+  databaseUrl: mysql+pymysql://stackspin:stackspin@single-sign-on-database-mariadb/stackspin
+
+  initialUser:
+    email: admin@example.com
+    # password: Set a pasword for the initial user!
+
   ## Kubernetes service configuration. For minikube, set this to NodePort, elsewhere use LoadBalancer or ClusterIP
   ##
   service:
@@ -646,7 +659,7 @@ ingress:
   path: /
   ## @param ingress.pathType Ingress path type
   ##
-  pathType: ImplementationSpecific
+  pathType: Prefix
   ## @param ingress.annotations Ingress annotations done as key:value pairs
   ## For a full list of possible ingress annotations, please see
   ## ref: https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md
@@ -659,12 +672,6 @@ ingress:
   ## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it
   ##
   tls: false
-  ## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
-  ## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
-  ## extraHosts:
-  ## - name: dashboard.local
-  ##   path: /
-  extraHosts: []
   ## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
   ## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
   ## extraTls: